Re: Does OTP need authentication?

From: Anne & Lynn Wheeler (lynn_at_garlic.com)
Date: 12/14/03

Next message: John E. Hadstate: "Re: Does OTP need authentication?"

Previous message: Cyber Vagrant: "Re: More about --- Formulae for Latin squares of size 2^n"
In reply to: Douglas A. Gwyn: "Re: Does OTP need authentication?"
Next in thread: Richard Herring: "Re: Does OTP need authentication?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 14 Dec 2003 17:32:01 GMT

"Douglas A. Gwyn" <dagwyn@comcast.net> writes:
> I haven't yet checked all the other replies, but one
> thjing that can go wrong is that the message (header)
> indicates the portion of the pad to use, the attacker
> blocks delivery of a message (so that that portion of
> the OTP is not destroyed by the intended recipient)
> and keeps a copy, then sends the copy (spoof) later
> at a time when the old plaintext should no longer be
> accepted by the receiver. (This is called a "replay
> attack".) E.g., think of a stock transaction: "buy
> 100 shares of IBM stock", which may be a bad thing to
> do once IBM shares start a downswing. With proper
> authentication, the attacker's spoof message will not
> be accepted as coming from the original sender.

or man-in-the-middle (MITM) attack ... not traditional replay attack
where the attacker repeats a message that had been previously been
sent/received.

traditional replay attacks are accepted as authenticated coming from
the valid sender ... because they are a repeat of a message that in
fact came from a valid sender.

the issue on a delayed message is it a validly delayed message
... possibly because of intermediate communication glitches (like
email where some server has been down for a period of time) or a MITM
attack ... aka purposefully delayed to take advantage of
characteristic of some high level business process (in your example).

traditional replay attack (same message received more than once)
either has some unique identifier for each message (and the recepient
does something like keeping a log) or there is protocol chatter where
the recepient provides a unique challenge as part of the
initialization. Non-real-time based protocols (like email) will tend
to use unique sender originated value ... while real-time protocols
might tend towards protocol chatter initialization with recepient
doing something more like challenge/response.

something like delay sensitivity in the higher level business
processes might require other kinds of counter measures ... i.e. given
that the higher level business processes may be sensitive to delays
... then they might have to have delay recognition ability ... because
the infrastructure can be susceptible to other types of delay
resulting failures (not just attacker inititiated delays).

to some extent the message integrity issue is similar. transmission
level protocols tend have various kinds of redundant information with
regard to message integrity and transmission errors. an attacker may
try to attack the message integrity in such a way that it is not
caught by the transmission error process(es).

this is one of the places that "end-to-end" shows up as a basic
security principle .... aka non-end-to-end solutions tend to provide
cracks in the infrastructure which give rise to infrastructure
vulnerabilities. These vulnerabilities can just be plain systemic
failure issues (intermediate email server being out of service for
some period of time) or purposefully introduced by attacks (MITM
attack delaying message until after some specific event). Another is
MITM corruption of message integrity at some sort of intermediate node
that is not caught by the transmission based message integrity
services.

previous posting in this thead regarding taxonomy of authentication
http://www.garlic.com/~lynn/2003p.html#4 Does OTP need authentication?

-- 
Anne & Lynn Wheeler | http://www.garlic.com/~lynn/ 
Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm

Next message: John E. Hadstate: "Re: Does OTP need authentication?"

Previous message: Cyber Vagrant: "Re: More about --- Formulae for Latin squares of size 2^n"
In reply to: Douglas A. Gwyn: "Re: Does OTP need authentication?"
Next in thread: Richard Herring: "Re: Does OTP need authentication?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Update #2 - Re: Google Bobbles NSA wiretap searches
... The Interlock Protocol, as described by Ron Rivest and Adi Shamir, was ... current asymmetric methods are all subject to an attack called ... the MITM attack. ... I would just leave all ARP replies enabled. ...
(comp.os.linux.security)
Re: Cracking SSL
... > a brute force throught the 40 bit keyspace a little more tractable. ... What made the attack more feasible than the "mere" 40bit key was ... poor PRNG code was in the server-side RSA key generation software. ... still being offered by production SSL servers is unknown to me: ...
(sci.crypt)
Re: Logon failures filling the event log
... Exchange web interface and CompanyWeb all require SSL and 128 bits. ... It's probably a brute-force attack. ... The authentication as seen from the authentication service comes from ... server farm (Windows 2003 standard, IIS6) hosting SSL secured, NTLM ...
(microsoft.public.windows.server.sbs)
Re: Logon failures filling the event log
... Exchange web interface and CompanyWeb all require SSL and 128 bits. ... It's probably a brute-force attack. ... The authentication as seen from the authentication service comes from ... server farm (Windows 2003 standard, IIS6) hosting SSL secured, NTLM ...
(microsoft.public.windows.server.sbs)
RE: OWA, basic authentication, and Windows NT Challenge and Response NTLM
... good example of a MITM attack. ... Ideally the OWA cert would be signed by a well-known and widely-trusted ... Also what would be the best defense against this sort of attack if your ... Planning, Computer Emergency Response Teams, and Digital Investigations. ...
(Security-Basics)